Data draining... with no connection...

I have had Exede/Wildblue for five years, with the "Recovery Act" plan living in rural Oklahoma. 60 GB per month, I rarely get close to using that amount. My parents also live in the country, I urged them to get Exede as well. They started out with the 10 GB/month plan which was quickly used. I shrugged it off to having so little data on their plan.

Last month (the 24th) I noticed they could get the Liberty 50 GB plan, which they upgraded to. In less than 3 days, it was all gone. My father is 65 who works 5 days a week as a dentist (till 6-8 p.m.), my mother is 64 and a quadriplegic. Point is, they don't use the internet much. They hardly ever use streaming video.

So how 50 GB is used up in under a week made no sense, I called last week to open an investigation into this. Today rolls around, their data is reset at midnight, 0 GB used. By noon, the eSVT page shows they've used 3 gigs. I thought, maybe it's a router issue so I installed a new router and put a new password in with only two devices connected... the laptop I was using and one iPhone. Now, 5 hours later, the eSVT page shows 9.9 GB used and the router shows 5.5 GB used for today. Of that, 4.4 GB is "uploads". How this is even possible, considering I password protected the new router... I am at a loss. By Tuesday, they will be at the max 50 GB. There are no programs running in the background and his iPhone's iCloud backup is off. No apps running on it either. The router map shows only the laptop and the iPhone connected.

It sounds like iCloud, OneDrive, or some other cloud service is enabled, which is default for Windows 10 and for iDevices (phones or iPads) If you sign in to your iTunes account and, do not disable iCloud on the device, it will upload ALL music, photos, notes, contacts, etc... and, it syncs every time anything changes. Windows will upload photos, documents, and just about everything in the user/name signed on to computer folder several times per day.

Of course posting photos or videos to social media sites, sending them via email, posting them to a forum or blog also count as uploads. If they use Face Time on the iPhone, that uses a lot of data and, of course is a video upload - it's streaming, same as doing a live stream of a game or Facebook Live or whatever live upload you might do.

The 1 GB or so of downloads is probably updates and, page loads for websites or email.

All of the iCloud backup settings are turned off. I made sure that no data from the Apple products are going out. So it's off. My parents don't have any music or videos on their devices anyway (they're 65).They don't post photos or videos to social media pages, ever. And they never stream anything live... my momcan't even move from the neck down!

Going to a facebook page, reading a few emails and looking at a new page won't touch 1 GB in use. Sorry, not at all close to that. It's something else... it's leaking data somewhere else and I think it's the modem itself.

First off, Exede provides you with a connection to the internet. It does not use data. If the new router is showing 5.5 GB used for one day, that is not the modem using data, it is something on the home network, or the router itself, using data. If that new router has a good data management app it may show you what devices are connected, and what devices are using the data. Many also show which applications are using data on each device.

Do they have any other devices using WiFi, like Dish, Directv, Blueray, Xbox, etc.

Is the new router set up with a strong password protection?

There is something using the data in the background, using the home network. It might take some time to find it, but data doesn't disappear, it gets used, just as Bev has said in her post.

It's a basic password, that is 8 characters long that I put into place, but why would it need to be "strong" when you have to manually enter that password into a, say iPhone or SmarTV? It can't connect w/o that password, right?

I recommend if router has no monitoring tools to at least install glasswire on the pc of the home. There are also aps for mobile devices that can track data usage. Would help in figuring out which device is using the data.

Well, if I were to use say "BevWolf" for a router password, just about anyone that lives or visits me, or anyone that even knows anyone that knows me could easily guess it and, thus steal my data if they were within range of my router.

Most devices only need the password entered one time, they remember the network after that and, connect automatically. So if you connect say you DirecTV DVR ONE TIME then, do not change the password or, block it form connecting via router settings, it connects whenever it wants to, without you knowing it's connecting and, using your data.

Same for that iPhone, it only needs the router password ONE time, then it connects automatically when you have WiFi enabled and it is in range. It does not ask for a password a second time.

load up esvt and dashboard, then unplug the Ethernet cable from the back and leave it off as long as possible(longer the better). check it from public wifi or a cellphone BEFORE plugging the cable back in.

This technique has been shown to be unreliable in that it does not account for the delayed usage reporting from the modem - under normal circumstances that's every 15 minutes but can be longer. Furthermore, some here have stated that the eSVT usage reporting display is delayed even further. With a keen eye and observation you can determine when that delayed report occurs by observing the modems lights and recognizing the unique pattern that occurs during usage reporting.

The only way to verify the accuracy of the usage meter is to independently monitor data usage through whether your router (preferable but can be pricey to buy a router having very detailed info - worth it to avoid heartburn IMHO) or reliable third party tools (tedious and requires knowing all possible paths to your connection) installed on each of your devices.

For example and despite being an NRTC subscriber to Exede (everythings the same except for administrative issues and account admin), the following compares my usage over the past three days as reported by my router and NRTC (through Exede's usage counter central):

No discrepancy here... but as always, YMMV. I keep hoping this 5 year old router will die so I can upgrade to a newer ASUS that has full blown traffic analysis. For now however, it and Glasswire serve my needs - Glasswire gives the added detail I require. If it were to die today, I wouldn't hesitate to drop by the local big box and go with the ASUS RT-AC3100 but can be had cheaper elsewhere online.

Here is a (long) repost of one of my replies that touches on Networking, Glasswire as a monitoring tool and some screenshots of the Asus RT-AC3100 router and its data tracking utility.

If a user has a single computer connected directly to the modem it is
a simple matter to see what programs and processes are using the data
by installing the free version of Glasswire.

The inclusion of a
router really complicates the issue because of the shear number of
connection paths that it offers as well router security.

There has been a number of "sneaky" changes of late ....

Microsoft "telemetry" in Win10 as well as in Win7 and 8.1 depending on installed updates.

Some software that has undergone changes ... AVG antivirus now shares "telemetry"

Some versions of Nvidia video card drivers now sharing "user data"

Many
mainstream websites that now load more Ads, perform frequent
auto-refreshes, contain more Flash content and now have HTML5 video
"pre-fetch".

Some serious router vuln
erabilities that if not patched with firmware updates can leave a users
network compromised. These would include Netgear, Linksys and Cisco
routers.

It all depends on having a clear understanding of the "shape" of your network and connected devices.

I
have previously posted the following. Hopefully it will give you a
little better insight to your network and offer a roadmap of sorts to
follow in finding your answer:

Networks, even residential networks are much more complex than most of us realize.

In
the not so distant past routers and switches and "Networking" were
pretty much limited to businesses and perhaps the more "geeky"
subscriber.

A typical satellite users connection looked like this:

A
single computer directly connected to the Modem. There is only one path
that data can be used. There are no "cross roads" no chance of anything
using data beyond those two devices.

Things however even at this
level are more complex than meets the eye. That single computer by
itself has 65,536 connection ports.

There are broadly speaking two things in play here:

Applications ... Those are PROGRAMS that we start .. we can see them running such as a web browser of an email client program.

A look at Windows Task Manager reveals:

Three running Applications:

An email client program, a web browser and an open file.

However a look at running Processes shows something much more complex:

I currently have a whopping 102 Processes running in the background
unseen, unknown. Not all of these of course are going to be connected
to the Internet at any given time. They "turn on", perform their
function and turn off.

In our very simple "network" (single
computer directly connected) we could install a program like GlassWire
on that computer and it will show all data used by THAT computer and
what programs and processes used that data:

Our simple Network now has two "measuring points":

Point A is going to be the point along the single "data path" that is monitored by GlassWire.

Point B is going to be the usage registered by the Modem as "traffic" to be charged against the user monthly data allowance.

The two values should pretty much coi
ncide within reason.

It is possible to look at a usage meter that has yet to "refresh" or register the usage in the last few minutes.

It
is possible for the ISP to have "compressed" data and a smaller amount
is shown by the Modem as being charged against the allowance than
indicated by GlassWire.

At this point the perimeters are pretty straight forward:

Do the amounts measured at points A (computer) & B (Modem) match ?

If they do NOT and the Modem claims greater usage then I suggest the following process:

Take a screenshot of your remaining allowance (allow for data that has yet to be recorded)

Disconnect the LAN cable from the rear of the Modem and note the exact time.

Let a number of hours pass (overnight ?)

Reconnect
the LAN cable and again note the time and the amount of remaining data.
Again an allowance must be made for the usage meter to update itself.
What we are looking for here is a major discrepancy.

In the event
that A and B match then we have to conclude the all of the data used
(and charged against the users allowance) was indeed used by the
directly connected computer.

A careful look at GlassWire will reveal what program and what processes are using data.

There
are many things that can be done to conserve data .. browser extensions
that block ads and scripts among other things. Much easier to do once
the source of usage has been identified.

As we look at the above example we can see plenty of opportunity for data use and this just by a single computer.

The problem is very few subscribers Networks look like the above.

This is more typical:

The above really multiplies the complexity. It offers multiple connection paths and each of those by itself has the same complexity as the single computer shown in the example above.

We have to take a much closer look at the Router itself:

The router as a central point in the network has three potential data use avenues:

#1: Its firmware/hardware:

This
would include automatic update checks, Remote Access
accounts/vulnerabilities, WPS settings/vulnerabilities and "front end"
username/password setup to name a few.

#2: Wired LAN
connections and the types of devices connected as well as their
settings. Specifically end users not understanding the differences
between "hard off", "sleep" and "hibernate" as well as other system
settings such as Wake On LAN, Wake On Ring and even extending to
"scheduled tasks".

We need not even go into the details of forced updates and data "sharing" inherent to Win10 and being back ported to Win7/8/8.1

#3: We come to the most difficult to control ... Wireless activity (on each frequency dual/triple band routers)

We
can start with what encryption level, if any, has been set up. We also
need to consider the username and password that limits access to the
routers front end so that unauthorized users can add themselves to the
wireless users list. It needs to be changed from the default values.

We
also have the multitude of settings of the many types of devices that
can connect wirelessly be they computers, notebooks, tablets, cell
phones or even thermostats.

It is often not apparent when all
apps on all devices have had their update ability turned off. Very
frequently an update will cause other settings to change to their
default values.

Considering the number of "connection avenues"
provided by a router it is mandatory that it be included in any
troubleshooting steps ...

We have to understand the Router is at
the center of the Network ...ALL OF THE CONNECTION PATHS and ALL OF THE
DATA USED have to pass through the Router therefore it I suggest a
Router that allows the tracking of usage per device.

There are many brands and models available .. a user needs to research which one best serves the users needs.

I have a Asus RT-AC3100 that has traffic monitoring:

Main interface that has the routers options and displays among other things which devices are currently connected:

Which devices used how much data by IP and by date:

And a statistical analysis per device by the top consuming software or process:

One often overlooked area is usage by the Router itself in the form of its internal services:

I had enabled two of the above services and the router internally consumed nearly 1/2 GB within just several days.

Determining the cause of missing data or even excess use requires that a user have some degree of understanding their Network.

You
may also wish to read the questions and responses to the following
topics with a similar theme that includes details on using Glasswire and
general information on data loss.